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Abstract — Language-based information flow security aims to 
decide whether an action-observable program can unintentionally 
leak confidential information if it has the authority to access 
confidential data. Recent concerns about declassification polices 
have provided many choices for practical intended information 
release, but more precise enforcement mechanism for these 
policies is insufficiently studied. In this paper, we propose a 
security property on the where-dimension of declassification and 
present an enforcement based on automated verification. The 
approach automatically transforms the abstract model with a 
variant of self-composition, and checks the reachability of illegal- 
flow state of the model after transformation. The self-composition 
is equipped with a store-match pattern to reduce the state space 
and to model the equivalence of declassified expressions in the 
premise of property. The evaluation shows that our approach is 
more precise than type-based enforcement. 

Index Terms — information flow security; declassification; push- 
down system; program analysis 

I. Introduction 

Information flow security is concerned with finding new 
techniques to ensure that the confidential data will not be 
illegally leaked to the public observation. The topic is popular 
at both language level and operating system level. Language- 
based techniques have been pervasively adopted in the study 
on information flow security. This is comprehensively sur- 
veyed in Uj. Noninterference [2| is commonly known as the 
baseline property of information flow security. The semantic- 
based definition of noninterference [3| on batch-job model 
characterizes a security condition specifying that the system 
behavior is indistinguishable from a perspective of attacker 
regardless of the confidential inputs. Noninterference is crit- 
icized for the restriction that forbids any flow from high to 
low. It will influence the usability of system because the de- 
liberate release is pervasive in many situations, e.g. password 
authentication, online shopping and encryption. Therefore, it 
is important to specify more relaxed and practical policies 
for real application scenarios and develop precise enforcement 
mechanisms for these policies. 

The confidentiality aspect of information downgrading, i.e. 
declassification [4|, allows information release with different 
intentions along four dimensions [5|: what is released, where 
does the release happen, when the information can be released 
and who releases it. The security policy we propose is on the 
where-dimension. On this dimension, there have been several 



polices, e.g. intransitive noninterference [6|, non-disclosure 
0, WHERE [8], flow locks J9), and gradual release [10|. 
Each of them leverages a certain category of type system to 
enforce the security policy. 

In this work, we first use an approach based on automated 
verification to enforce declassification policy on the where- 
dimension. As a flow-sensitive and context-sensitive tech- 
nique, automated verification has been used as an enforcement 
to noninterference on both imperative languages 111 11121 and 
object-oriented languages 1 1 31141 . In these works declassifi- 
cation is only discussed in lITZl . where the specific property 
relaxed noninterference 1 131 is mostly on the what-dimension. 

The approaches based on automated verification usually rely 
on some form of self-composition [11] that composes the 
program model with a variable-renamed copy to reduce the 
security property on original model to a safety property on 
the model after transformation. In our previous work 04], we 
have developed a framework that uses reachability analysis to 
ease the specification of temporal logic formula or the manual 
assertion encoding partial correctness judgement. The self- 
composition doubles the size of memory store and largely 
increases the state space of model. When the I/O channels 
are considered, this effect becomes more serious since each 
store of channel is modeled explicitly. On the other hand, the 
security property often requires the equivalence of declassified 
expressions to be satisfied. Therefore in our enforcement we 
propose a store-match pattern to 1 . avoid duplicating the output 
channels, and 2. facilitate the self-composition by modeling 
the equivalence of declassified expressions in the premise 
of security property. We also evaluated the similarity of the 
properties and the preciseness of our enforcement mechanism 
compared with type system. 

The main contributions of the paper include: (i) We propose 
a more relaxed security property enforceable with automated 
verification on the where-dimension; (ii) We give a flow- 
sensitive and context-sensitive enforcement based on reacha- 
bility analysis of pushdown system. We show the mechanism 
is more precise than type-based approaches; (iii) We propose a 
store-match pattern that can be in common use for automated 
verifications to reduce the state space of model and the cost 
of security analysis. 

The rest of the paper is organized as follows. In Section ITT1 
we introduce the language model and the baseline property. 



e ::=v \ x \ e © e 

C ::=skip | x := e \ x := declass(e) | if e then C else C' | 
while e do C | C; C' | input{x,Xi) \ output{e,Oi) 

Fig. 1. Program Syntax 



(M, 1,0,P, 9, skip; C) -> (At, X, 0, p, 9 , C) 

M e ) = V 

{fj,,l,0,p,q,x := e;C) (/i[a: M- «], X, O, p, q, C) 

Me) = b 

(p., I, 0,p, <j, if e then Ctrue else Cf a i se ) — > (p,X,0,p,q,Ct,) 

p(e) = true 

(/i,X, 0,p, g, while e do C) — > (/Lt, X,0,p,q,C; while e do C) 
/j(e) = false 

(p,X,0,p,q, while e do C) — > (p,X, 0,p, q,skip) 

(n,X,0,p,q,d) -> (/i',X',0',p',q',C() 
(p,X,0,p,q,C i; C2) -> (M',X',0',p',9',Ci;C2) 

Xj [pj] = t> p ■ = pi + 1 

{p,X,0,p,q,input(x,Xi);C) -> (/i[a; «], X, 0, p', g, C) 

p(e) = O'M q[ = q l + \ 

(p,,X, 0,p, q, output(e, Oi)\ C) -)• (/i,X, 0',p,q',C) 

p(e) = v ""(e) d f(^) 
(/j,,X,0,p,q,x := decCass(e);C) i-> «],Z, C>,p, g, C) 

/i(e) = v ""(^) -< °"( e ) "'C 31 ) 

(/x,X, 0,p,q,x := decCass(e); C) — (/Lt[x i — y v],X, 0,p, q, C) 

Fig. 2. Operational Semantics 

In Section |lll] we define the where-security and prove the 
compliance of property with the prudent principles. Section HVl 
describes the enforcement mechanism. We show the evaluation 
in Section [V] and conclude in Section |VlJ 

II. Program Model and Baseline Property 

We use a sequential imperative language with I/O channels 
as the presentation language to illustrate our approach. The 
syntax is listed in FigQ] The language is deterministic. The 
primitive dedass stands for declassification that downgrades the 
confidential data of expression e to be assigned to variable x 
with a lower security domain. Here x can be considered as 
a low-level sink of data observable to the attacker. I and O 
are respectively the set of input and output channels. They are 
formally defined as a mapping from each channel identifier i 
to a linear list, e.g. Zj resp. Oi. The command input{x,Ii) 
indicates that the input from Zj is assigned to x, and the 
command output(e, Oi) stores the value of expression e into 
the correct position of Oi. 

The computation is modeled by the small-step operational 
semantics in Fig|2] The inductive rules are defined over 
configurations of the form (n,Z,0,p,q,C). /i : Var M> N 
is a memory store mapping variables to values and C is the 
command to be executed, p and q are set of indices, pi denotes 



the index of next element to be input from Zj, and % is the 
index of location of Oi where the next output value will be 
stored. The elements in p and q are explicitly increased by the 
computation of inputs and outputs. 

The security policy is a tuple (T>, ^, -w, a) where (£>, -<) is 
a finite security lattice on security domains and is an excep- 
tional downgrading relation of security domains (~-» n ^= 0) 
statically gathered from the program. Let a : VarUlUO M> V 
be the mapping from I/O channels and variables to security 
domains, and let a(e) = \_\ x£e c(a:) be the least upper bound 
of the security domains of variables contained in e. When com- 
mand x := decCass(e) in program has a(x) -< cr(e), the decCass 
operation performs a real downgrading from some variable in 
e and only then an element (a(e), a(x)) is contained in the 
relation otherwise the operation is identical to an ordinary 
assignment. We label the transition of declassification with 
— >d in Figf2] The security policy is different from the MLS 
policy with exceptions proposed in [6 8 16 1, where the set of 
exceptional relations is independent to the declassification 
operations. In our policy the exceptions are gathered from the 
dtdass commands. Our treatment is reasonable since developer 
should have right to decide the exception when they use the 
primitive dtdass explicitly. This is also supported in other 
work, e.g. ifTTl . 

We specify noninterference with the semantic -based PER- 
model [ 3 1 . Intuitively speaking, it specifies a relation between 
states of any two correlative runs of program, which is 
variation in the confidential initial state cannot cause variation 
in the public final state. In another word, the runs starting 
from indistinguishable initial states derive indistinguishable 
final states as well. For the language with I/Os, the indistin- 
guishability relation on memory stores and I/O channels with 
respect to certain security domain £ is defined as below. 

Definition 1 (Z'-indistinguishability). Memory store pi and fij 
are indistinguishable on £(£ £ T>), denoted by fii fj,j, iff 
\/x £ Var.a(x) ^ I fJ.i(x) — fJ.j(x). For input channel li 
and Ij, Ti ~i Ij iff {(r(Ti) = (r{Tj) ■< I) A (pi = Pj A VO < 
k < pi.Xi[k] = Ij[k]). Similarly, for output channel Oi and 
Oj, O l ~t Oj iff {a{Oi) = a{Oj) < I) A ( ?j = q 3 A VO < 
k<q i .O i [k]=O j [k]). 

For the two observable channels with same security domain, 
the indistinguishable linear lists should have the same length 
and identical content. Let X 1 be the set of input channels 
with security domain £'(£' < £). If the set I and X 1 have 
the same domain, e.g. as the inputs of the same program, we 
can use X X 1 to express Vi.Xi £ X 1 Xi ~£ X[. The 
noninterference formalized here takes into consideration the 
I/O channels and is therefore different from what for batch- 
job model (TJ. It is given as follows. 

Definition 2 (Noninterference). Program P satisfies noninter- 
ference w.r.t. security domain £$, ifffi£ ^ £o, we have 
( VX,n,X',p,',O f ,p f .(p,X,0,p,q,P)^* \ 

y (fif,X,Of,pf,qf,skip) Al~^I' A/i~« p! ) 



30' f , t x' f .( t x',l',0',p',q , ,P)^* \ 
(p' f ,I',0' f ,p' p q' f ,skip)AO f ~tO' f Aix f ~ e fi' f )' 

In this definition, the noninterference property is related to 
a security domain £q. The content of channels with security 
domain £'(£' >- £o) is unobservable and irrelevant to the 
property. A more specific way to define noninterference is to 
require £q = |J T>. That means the proposition in Definition [2] 
has to be satisfied for each security domain in V. We use this 
definition in the following. Our definition adopts a manner to 
consider the indistinguishability of the initial and final states 
but not to characterize the relation in each computation step 
as did by the bisimulation-based approach [18|. Another use 
of the security domain of variables is to specify where a valid 
declassification occurs. This will be discussed below. 

III. Where-Security and Prudent Principles 

In this section, we give a security condition to control the 
legitimate release of confidential information on the where- 
dimension of security goals. It considers both the code locality 
where the release occurs and the level locality to which secu- 
rity domain the release is legal. Let -» represent a (possible 
empty) sequence of declassification-free transitions. A trace 
of computations is separated to the declassifications labeled 
with — >d and declassification-free computation sequences. The 
where-security is formally specified as below. 

Definition 3 (Where-Security). Program P satisfies where- 
security iff W G V, we have 
VX, n,T , n' 3n > : 

/ VO„ + i,/i n +i : (n,l,0,p,q,P)[-^ (fj, ks ,I,Ok,Pk,qk, \ 
X k : = decCass(ek); Pk) (flk t ,Z, Ok,Pk, qk, Pk)]k=l..n 
-» (fln+1,1, O n+ i,p n+ i,q„ + i,skip) 

\ KL A /i ~^ ji J 

I ^0'„ +1 ,fi' n+1 : (fi',2',0',p',q',P)[-^> (^k s ,l',0' k ,p'k,qk, \ 

x'k := dedass(e'k);P' k ) ->•<* (^' kt 0' k ,p k , q'k, Pk)]k=i..n 

-» ( Pn+ i , I' , 0' n+ 1 , p„+ 1 , q' n+ 1 , skip ) 

A Afc=i,.»(fe ~* ^'fe s A W.( e t) = Mfc s ( e 'fc) => Pk t ~e Pk t ) 

A ( Ak=i..„(w.(e*) = /4 S (4)) => \ 

\ \ ~« + 1 A O n +l ~« 0' n + 1 J ) 

Intuitively speaking, when the indistinguishable relation on 
the final states is violated, the contrapositive implies that it 
is caused by the variation of declassified expressions. This 
variation is indicated valid by the premise our property. If the 
leakage of confidential information is caused by a computation 
other than the primitive dectass, it will be captured because 
without constraining the equality of released expression, the fi- 
nal indistinguishability cannot hold. Our where-security prop- 
erty is more relaxed than WHERE 181 161 which uses strong- 
bisimulation and requires each declassification-free compu- 
tation step meets the baseline noninterference. We can use 
explicit final output of public variables to adapt the judgement 
of /i n+1 ~£ fj! n+1 to the judgement of O n+1 ~ t 0' n+1 . 

Sabelfeld and Sands [5 | clarify four basic prudent principles 
for declassification policies as sanity checks for the new 
definition: semantic consistency, conservativity, monotonicity 



of release, and non-occlusion. Our where-security property 
can be proved to comply with the first three principles. Let 
P[C] represent a program contains command C. P[C'/C] 
substitutes each occurrence of C in P with C' . The principles 
with respect to the where-security are defined as follows. 

Lemma 1 (Semantic Consistency). Suppose C and C are 
declassification-free commands and semantically equivalent 
on the same domain of configuration. If program P[C] is 
where-secure, the P[C /C] is where-secure. 

Lemma 2 (Conservativity). If program P is where-secure and 
P contains no declassification, then P satisfies noninterfer- 
ence property. 

Lemma 3 (Monotonicity of Release). If program P[x := e] is 
where-secure, then P[x := dectass(e)/x := e] is where-secure. 

Corollary 1. The where-security satisfies semantic consis- 
tency, conservativity, and monotonicity of release. 

This corollary indicates that the where-security complies 
with the three prudent principles given by the above lemmas. 
The proofs of the lemmas are presented in |[T9l . The non- 
occlusion principle cannot be formally proved since a proof 
would require a characterization of secure information flow 
which is what we want to check against the prudent principles. 

IV. Enforcement 

In this section, we provide a new enforcement for the 
where-security based on reachability analysis of symbolic 
pushdown system [20|. A pushdown system is a stack-based 
state transition system whose stack contained in each state can 
be unbounded. It is a natural model of sequential program 
with procedures. Symbolic pushdown system is a compact 
representation of pushdown system encoding the variables and 
computations symbolically. 

Definition 4 (Symbolic Pushdown System, SPDS). Symbolic 
Pushdown System is a triple V = (t/,T x C, A). Q and C 
are respectively the domain of global variables and local 
variables. T is the stack alphabet. A is the set of symbolic 
pushdown rules {(7} c — > (71 • • • 7„) (11) \ 7,71, •'•>7n G 
T A K C (g x £) x \g x C n ) A n < 2}. 

The stack symbols denote the flow graph nodes of program. 
The relation 1Z specifies the variation of abstract variables 
before and after a single step of symbolic execution directed 
by the pushdown rules. The operations on 1Z are compactedly 
implemented with binary decision diagrams (BDDs) ll2D in 
Moped l22l which we use as the back-end verification engine. 

The model construction of commands other than I/O op- 
erations is similar to the one in our previous work ll23l . In 
the pushdown system, the public channels are represented by 
global linear lists. In another word, for a security domain 
£ G T>, we only model the channels in X 1 and £r. Take a 
input command for example, if the source channel is Zj, the 
pushdown rule has a form of IR# for a(Xi) >~ £ and IR^ for 
< £ in Table |I] where _L denotes an indefinite value. 



TABLE I 

PDS Rules for Model Construction 





(li) *-+ <7fc> =-L)Art(At\{a;},X^ei^/,^,---) 


IRl 


(7j) ^ <7fc) 0' = IiW) A W = P» + 1) A rt(At \ {x}, X«, O e ,p e \ { Pi }, cf, ■ • •) 


ORh 


(7j> t +<'Yk>rtGi I Z < ,0 < ,p £ ,«V") 


OR L 


( 7j > (output em -y k ) (tmp> = e) A ri(ji,X f , 0*,p<, g*, ■ ■ ■ ) A rt 2 (- ■ • ) 
(output^) <-> (e) rtf>,2* 0',jr*,gV--) 


DR 


< 7j > <-> (Ad*.^) (top' = e) A rtf>,Z«, 0«,f>W, • ■ ■ ) 
(^ C /a«^ t ) <-> ( 7fe > rt(n, I e ,O e ,p e ,q e ,---) 



TABLE II 

Stuffer PDS Rules for Model Transformation 



RST 


(7i> <~> («TD)> (V Pl 6 P e .p'i = 0) A (Vg, G = 0) A rt( ft £f»,Z< O*. ■ • • ) 


OSi 


(outputemy) ^ (°» f P»W> (0<[gi] = A (g; = <?i + 1) A rtf>, $0),X', 0* \ \ {gj, ■ ■ ■ ) 


OMi 


{^(output entry )) <-> (error) (Oife] ^ top) A rt(- ■ ■ ) 
(£(output mtty )) <-> {{(output^)) (Oi[ qi ] = tmp) A (g< = g, + 1) A »•*(>, COO.X'.OW, q l \ {gj, ■ ■ ■ ) 


DS 7j 


(dtcCass^) ^ (decCass^) (V'\p{"f } )} = tmp) A (x' = imp) A rt(2> \ {X»[p(7j)]}, M \ M, • • •) 


DM 7j 


(a^'lLy)) ^ (idle) (X>[p( 7j )] ^ »np) A rt(Z>, ■ ■ ■ ) 
{^ecCass^ry)) ^ (^O^St)) (^D»(7i)] = top) A (£(*)' = imp) A rt(T>, p, \ {£(x)}, • ■ ■ ) 



On the other hand, if the target channel of output is Oi, the 
pushdown rule has a form of ORh for o~{Oi) >- £ and ORl 
for o-(Ci) < £ in Table U OR# is just like a transition of 
skip since the confidential outputs do not influence the public 
part of subsequent states. The variable tmp stores the value of 
expression to be outputted or declassified, rt means retainment 
on value of global variables and on value of local variables 
in (jj) <-> (7 fc ). rt 2 for a rule (7,-} c — > (f entr y7fc) denotes 
retainment on value of local variables of the caller of procedure 
f . The declassifications are modeled with DR in Table U The 
bodies of outputs to different public channel and the bodies of 
declassifications are vacuous. These absent parts of model will 
be filled by the self-composition. This treatment is decided 
by the store-match pattern which we develop to avoid the 
duplication of public channels and to guide the instrumented 
computation to fulfil the premise of where-security property. 

We follow the principle of reachability analysis for nonin- 
terference which we proposed in lfl4ll . The self-composition 
is evolved into three phases: basic self-composition, auxiliary 
initial interleaving assignments, and illegal-flow state con- 
struction. For simplicity, we use the compact self-composition 
ll23l as basic self-composition. To avoid duplicating the input 
channels, we reuse the content of public input channels by 
resetting the indices of p l to at the beginning of the pairing 
part of model, see RST in Table [El] This treatment is safe 
because from the semantics we know that no computation 
actually modifies the content of input channels. In order to 
avoid duplicating the output channels, we propose a store- 
match pattern of output actions. This is to stuff the model after 
basic self-composition with the pushdown rules OS and OM in 
Table iHl parameterized with the channel identifier i. The OM 
rules show that when the output to channel Oi is computed in 
the second run, it is compared with the corresponding output 
stored during the first run. If they are not equal, the symbolic 



Algorithm 1 Model Transformation 

1. A' <- {<7i„it) «-> {startConfiV)) (Vx £ dom(//) .{(»)' = a) A 
rt(^X e ,O e ,p l , q e )} 

2. for all r £ A A r ^ LaslTrans(V) do 

3. A' <- A' U {r.expr r.TZ A rt{£(p))} 

4. end for 

5. for all r e A do 

6. it r.expr — (*yj) ^ (7s7fc) then 

7. A' <- A' U {<«7i)> («7s)£(7fc)> r.ni^l A rt{p)} 

8. else ii r.expr = (7^) (itclassj^) then 

9. A' <- A'u{(«7 3 )> ■-> (HU^ly)) r-.K^ArtO^UDS^. UDM 7j . 
10. else if r.expr — (jj) <— > (jk) then 

U. A' <- A' U {<e( 7j )> (£(7*)) r.Kf*i, A rt(»} 

12. else if r 7^ LastTrans{V) then 

13. A' <- A' U {(iCyj)) ^ (*) r.Tll^l A rt(p)} 

14. else 

15. A' <- A' U {(«( 73 )) -> («(7 3 )> r.-R^l A rt(p)} U {( TJ ) -> 
(£{startConf{V))) RST} 

16. end if 

17. end for 

18. A' <- A' U Uo. eo K os i u 0M i) 



execution is directed to the illegal-flow state error. 

Compared with the noninterference property, the premise of 
where-security contains equality relations on the declassified 
expressions, therefore we need some structure to instrument 
the semantics of abstract model to make sure the computation 
can proceed only when the equality relations are satisfied. 
We define another global linear list V. Suppose there are m 
declassifications respectively at code location 7^ (0 < i < m) 
and a function p mapping 7^ to i. We give another pattern of 
store-match that stores the value of expression declassified at 
7d i to the site T>[p(^di)], see DS in Table HI1 The corresponding 
match operation has a form of DM in Table [n] Note that £ 
is the rename function on the stack symbols to generate new 
flow graph nodes as well as on the variables to generate the 
companion variables for the pairing part of model. The state 
idle has only itself as the next state. From the reachability of 
error we can ensure the violation of where-security without 



TABLE III 
Difference between Properties 





WHERE 


gradual release 


where 


noninterference up-to 


J 


/ 


X 


persistence 


/ 


X 


X 



considering the equality relations on the subsequent outputs. 
The self-composition algorithm is given in Algorithm Q] The 
LastTrans returns the pushdown rule with respect to the last 
return command of program. The first rule added to A' denotes 
the initial interleaving assignments from public variables to 
their companion variables. r.lZ x£ y ar means a relation substitut- 
ing each variable in Var with the renamed companion variable. 

Theorem 1 (Correctness). Let SC(V l ) be the pushdown sys- 
tem w.r.t. security domain I generated by our self-composition 
on the model of program P. If W G T>, the state error of 
SC(V £ ) is unreachable from any initial state, we have P 
satisfies the where-security. 

(The proof is sketched in the technical report |fl9l ) 

V. Evaluation 

We implement Algorithm [TJ as part of the parser of Remopla 
ll24l and use Moped as the black-box back-end engine for the 
reachability analysis. Here we use experiments to evaluate: 

1 . whether the property defined by where-security is similar to 
the existing properties on the where-dimension, e.g. 1181 101 . 
and what is the real difference between these properties. 

2. the preciseness of the mechanism compared with the type 
systems on enforcing the respective security properties. 

3. whether the store-match pattern can really reduce the state 
space as well as the cost of verification. 

The experiments are performed on a laptop with 1 .66GHz Intel 
Core 2 CPU, 1GB RAM and Linux kernel 2.6.27- 14-generic. 
The test cases are chosen from related works, see Table HV] 

Firstly, we illustrate that where-security is more relaxed than 
WHERE 18IT611 and gradual release Q0). Lux and Mantel |16) 
have proposed another two prudent principles: noninterference 
up-to and persistence. Compared with the four basic princi- 
ples, the two principles are not generally used for policies 
on different dimensions. The conformances of the properties 
with these principles are given in Table Hill Similar to the 
gradual release, the program PI in Table IIVI is secure (denoted 
by /) w.r.t. where-security. This indicates the two properties 
do not comply with persistence since the reachable command 
I := h is obviously not secure. On the contrary, WHERE 
rejects this program. Our where-security does not comply with 
noninterference up-to because the definition deduces relations 
on final states but not on the states before dedass primitives. A 
typical example is P0. It is where-secure but judged insecure 
by WHERE and gradual release. Although different on these 
special cases, the where-security can characterize a similar 
property to WHERE and gradual release for the most cases in 
Table ITVl see the column WHERE, GR and where. 




F1 F2 F3 F4 F5 F6 F7 



Fig. 3. Cost Reduction with Store-Match Pattern 

Then we evaluate the preciseness of our enforcement mech- 
anism. In Table ITVl Ti is the well-typeness of program judged 
by the type system in Fig.4, (8). T2 is the judgement of 
the type system given in Fig. 3, fit)! . RA is the reachability 
analysis result using our mechanism. / means the state error 
is not reachable. The analysis time T is related to the number 
of bits of each variable, which we set to 3 and that means 
each variable in the model has a range of 0^2 3 -l. Larger 
number of bits corresponds to the increase on state space of 
model and the analysis time. On the other hand, the number 
of bits of variable is meaningful also because if it is too 
small for the model of insecure program, the illegal path 
cannot be caught. This causes a false-positive which can be 
avoided by setting the number of bits of variable sufficiently 
large. We record the minimum number of bits to avoid false- 
positive as N TO j n . The analysis might be time consuming 
when N m i n is large. For secure program, the illegal-flow 
state will be unreachable for any number of bits therefore 
N mjJl is not recorded. The program filter in Table [IV] has 
a more complex policy. From the escape hatch information 
we have reader < network. The model is constructed and 
transformed on respective security domains. On each security 
domain different public variables are modeled outputted in the 
end and state error of transformed model is unreachable. Our 
enforcement is more precise compared with the type systems 
that reject some secure programs (P2,P6,P7 for WHERE and 
P1,P2,P6 for gradual release). 

Finally, we evaluate the reduction on the cost of verifica- 
tion provided by the store-match pattern. We compare our 
mechanism with a model transformation, i.e. Tr in FigfJ) 
which duplicates the public output channels and constructs the 
illegal-flow state following the pairing part of model. The test 
cases containing I/Os are from Fig.4, [26|, and named Fi~Fg 
in Fig|3] These experiments show that the store-match pattern 
can give an overall 41.4% reduction on the cost of verification. 
The number of bits of variable is set to 3 as well. 

VI. Conclusion 

We propose a security property on the where-dimension 
of declassification. The property is proved complying with 
the three classical prudent principles. We also give a precise 
enforcement based on the reachability analysis of pushdown 
system derived by a variant of self-composition. To immi- 
grate our approach to the properties on other dimensions of 
declassification, e.g. the delimited release [17] on the what- 



TABLE IV 

Property and Enforcement Comparison with WHERE and Gradual Release 



Case 


From 


WHERE 


n 


GR 


T2 


where 


RA 


T(ms) 


Nmin 


P0 


I := h;l := dedass(h); 
I '.= dec£ass(H)j I h] 


Ex2 


Example 2, (6) 


X 


X 


X 


X 


X 


X 


39.2 


2 


PI 


RSA 


Example 5, (6) 


X 


X 


X 


X 


X 


X 


1.09 


1 


P2 


h\ ]= h2]l '■= dec(ass{hl)\ 


CI 


Example 1, (8J 


X 


X 


X 


X 


X 


X 


0.55 


1 


P3 


hi := h 2 \h2 := 0; 


C2 


Example 1, (8J 


/ 


/ 


/ 


/ 


/ 


/ 


0.59 






ll := dtdassih^)', /12 : = hi', I2 '■= h2\ 


C3 


Example 1, (8) 


/ 


/ 


/ 


/ 


/ 


/ 


0.49 




P4 


h 2 := 0; 


filter 


Fig.6, (8) 


/ 


/ 


/ 


/ 


/ 


/ 


5.47 






if hi then I := dcdasslhi) 


PO 


Sec.l, 1251 


X 


X 


X 


X 


/ 


/ 


0.44 






else I := dedass(h2)\ 


PI 


Sec. 2, [iioj 


X 


X 


/ 


X 


/ 


/ 


0.53 




P5 


1 . n. 

1 := U; 


P2 


Sec.3, 1 25 | 


/ 


X 


/ 


X 


/ 


/ 


0.64 






if I then I := dedass(h) else skip; 


P3 


Sec.2, 1 10 1 


X 


X 


X 


X 


X 


X 


3.53 


1 




I := h; 


P4 


Sec.4, [25] 


X 


X 


X 


X 


X 


X 


2.03 


1 


P6 


h 2 := 0; 


P5 


Sec.4, 1 25 | 


X 


X 


X 


X 


X 


X 


0.61 


1 




if hi then I := didassih^) else I : = 0; 


P6 


Sec.5, 1 25 | 


/ 


X 


/ 


X 


/ 


/ 


0.37 




P7 


I := declassify = 0); 


P7 


Sec.2, 1 10 1 


/ 


X 


/ 


/ 


/ 


/ 


1.91 






if I then li := declass(h\) else skip; 



dimension, the key point is to focus on the indistinguishability 
of declassified expressions on the pair of initial states. The 
study on the enforcement of properties on the other dimensions 
is left to our future work. 
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Appendix 



or 



Proof of Lemma Q} Suppose any trace of the program 
P[C'/C] is in a form of 

(fx,l,0,p,q,P[C'/C]) i llj .LO J .,, J ., h .C':l^ -» 

(fj, k ,l,O k ,p k ,q k ,Pj) (nf,l,Of,p f , q f , skip). 
Because C and C are semantically equivalent, we also have 
\ji ,:i.O r p r ii,.('\ I',) -» O k ,Pk,qk,Pj)- Moreover, 

since C and C are declassification-free, the substitution will 
not influence the conjunction of equivalence on declassified 
expressions in P\C jC\. Therefore the indistinguishability on 
the final configurations, that is fi n +i ~^ Mn+i A n +i 
C^+i, holds before and after the substitution. ■ 

Proof of Lemma [2} From the operational semantics we 
can see — >d can only occurs when a dedass command is 
executed and the declassified expression contains some in- 
formation with a security domain higher than the security 
domain of x. P has no declassification implies that in any 
trace of computation of P there is no — >j. The where-security 
of P degenerates to have n = 0. Therefore the where- 
security becomes noninterference according to the definition 
and fj.f = /ii, Of = 0\. ■ 

Proof of Lemma \3] There are actually two cases on 
whether the substitution introduces a real declassification. 

1. If <r(e) < cr(x), the computation of x :— dec(ass(e) is iden- 
tical to the ordinary assignment x := e and — > is not labeled 
as — >d- The where-security of P[x := dedass (e) / x := e] 
does not change compared with the where-security of 
P[x := e). 

2. Suppose we have cr{x) -< cr(e). The computation of 
x := e in the two correlative runs of P[x := e] are like 
(p,l,0,p,q,P[x := e]) ->* {}i h X,O h p h q h x := 
e \ p j) -> (Mj'N ^ (J>j(e)],I,O j ,p j ,q j ,P j ) ->•* 
(lht+i > £>n+i , Pn+i, Qn+i , skip) and 
(»',!', 0',p',q',P[x := e]) ->* {^,X' ,0' j ,p' j ,q J j ,x := 
e;Pj) -> (/*J[x h> Mi(c)],r,0;-,pj,^,i^) -+* 
(Mn+i^'^n+i'Pn+i.^+i.skip). From the premise 
of where-security of P[:r := decCass(e) jx := e] we 
have Afc = i..„(Mfc s ~« Mfc s A^ fca (efe) = /i^(e fe )). That 
implies Afc=i..r i ,ft 7 y(/ i fc s ~£ a4 s A/i fes (e fe ) = A4 s ( e fc)) 
and because P[x := e] is where-secure, 
we have A/t^i-n^i (W* ~t Mfc t )- Because 
A*j ~-« /4 A /ij(e) = /ij(e), according to the semantics, 
we have /ij[x H> Mj( e )] ~^ ^ (e)], that is 
Hj t ~^ jU^ t for P[x := dedass(e)/x := e] and therefore 
Afc=i nl^fc* ~f A*fc )• On the other hand, since the 
substitution does not change the semantics of program, 
restricting the premise f\ k=1 nk ,.(p, ka (e k ) = p' ks {e' k )) 
with a conjunction to fJ,j(e) — fJ>j(e) will not influence the 
consequence that /j, n+1 ~ t fj,' n+1 A O n+1 ~ t The 
where-security of P[x := dedass(e)/x := e] is proved. 

■ 

Proof of Theorem Q} Suppose program P violates the 
where-security property, that means 

3feo-Mfe 0)S ~£ V-'k ,s^k A e k) = A4 0:S (4) A ^(Mfc ,t ^ Mfc ,t) 



/\ ( Mfes (e fc ) = ^(e' fc )) A -n(0 n+1 ~ £ 

fc— l..n 

Here the /x„ +1 ~£ Mn+i has been adapted to O n+ i ^£ 0' n+1 
by modeling final outputs of public variables. If the first 
relation is satisfied, we have in x k :— dedass(e k ) and x' k := 
dedass (e' k ) the variable x k and x' k are different variables. 
Therefore the respective pushdown rules must have different 
jj as the label for the stack symbol dedassHxn, which we 
suppose to be ^ k , 7&< and ^ k ^ j k i . From the DS 7fc and 
DM 7fc , we have V[p(-f k >)} — e' k . The value in T>[p(^ k i)] is 
irrelevant to e k and x k in the second run is not restricted by 
DM 7fc , . When the final x k and x' k are outputted, the inequality 
of final x k of correlative executions makes the state error 
reachable according to the rule OM„( It ). If the second relation 
is satisfied, 3i.<& ^ g< V (30 < k < q l .O i [k a ] ^ O'^ko}). If 
qi 7^ q[, we can suppose qi < q[ L because the correlative runs 
are symmetrical. Then there must be some e of output(e, 0[) 
in P that should be compared with the indefinite value in 
Oi^n+i [qi] during the execution of the second run. Otherwise 
we have O l . n+ i[k Q ] ^ O' in+1 [k ]. Then if O' i>n+1 [ko] is 
generated by output(e, £),), the second run is directed by 
Oi [ko] 7^ e according to the rule OM; and error is reachable. 
From the contrapositive the theorem is proved. ■ 



